Blog
·5 min read·VAIBot

Your coding agent runs shell commands with your permissions. Nothing is watching.

circuit-breakeragentssecurity

If you run Claude Code, Codex, Cursor, or an OpenClaw agent, you have handed a language model a shell. It runs git, npm install, curl, rm; it edits files and calls APIs — with your permissions, on your machine. Most of the time that is the entire point. The problem is the failure mode.

A model doesn't have to be malicious to be dangerous

It only has to be wrong, or steered. A hallucinated rm -rfagainst the wrong path. A README that says “to finish setup, run this” and the agent obliges. A dependency's post-install script, or a webpage the agent fetched, that contains text the model reads as an instruction. In every one of these cases there is no confirmation step, no policy, and no record. The command just runs, because nothing sits between “the model decided to” and “the OS did.”

The common answers each miss something:

  • Full sandboxing / VMs — great isolation, but they break the workflow the agent exists to speed up, and teams turn them off.
  • Review every command yourself — you approve the first ten, then you approve everything, then you approve nothing.
  • A cloud proxy in the path — now a third party sees every prompt, file, and secret your agent touches. That is a different risk, not a smaller one.

What we built: a circuit breaker for agent actions

VAIBot is a small, local enforcement daemon — @vaibot/guard — plus thin plugins for each agent (Claude Code, Codex, Cursor, OpenClaw). The plugin hooks the agent's tool-execution lifecycle: before a shell command or tool call actually runs, it asks the guard for a decision. The guard evaluates your policy and returns one of three lanes:

  • allow — run it, and record it.
  • ask — pause and require an explicit human approval first.
  • deny — block it, and record the attempt.

Conceptually the hook is boring, which is the point — it is a function that returns a verdict the runtime honors:

beforeShellExecution({ command: "rm -rf ./build", cwd })
  -> guard.decide(command, policy)
  -> { permission: "ask", reason: "destructive filesystem verb" }
// runtime pauses for approval instead of deleting

Fail-closed, on purpose

If the guard is unreachable, mis-started, or throws, the default is to block, not wave the action through. A security control that fails open is theater; the first time it matters is exactly when something is already wrong. You can tune the lanes per command class, but the floor is deny-by-default and enforcement is on out of the box.

The decision is local

The allow/ask/deny decision happens on your machine, against a policy you control. Your commands and prompts are not shipped to a server to be judged. The control plane's job is to hand the guard a signedpolicy and mode — not to watch your traffic. Every decision is appended to a tamper-evident, hash-chained audit log, so “what did the agent try to do at 3am” has an answer that can't be quietly rewritten.

One command across every agent

curl -fsSL https://vaibot.io/install.sh | sh
vaibot init   # installs the guard + the plugin for each agent it detects

The CLI (published on crates.io) is the installer/supervisor; the plugins are on npm. It detects the agents you already use and wires the same guard under all of them, so your policy is one thing, not four.

What it is not

Honest limits: this is a policy gate, not a sandbox. If you allow a tool, an action that uses only allowed tools can still be wrong — the value is in gating the classes that matter (destructive commands, network egress, secret access) and recording everything else. It also only sees actions that flow through a hooked path; an agent that shells out through some unhooked side channel is outside its view. We think that is the right tradeoff: a brake you keep on beats an airbag you disabled.

If you have wired an LLM into anything that can touch a filesystem or a network, put something between the decision and the execution. Start here, or read why we think the enforcement point has to be the client in AI governance that doesn't ship your work to a cloud.

Put a brake on your AI stack.

One command installs the guard across the agents you already use — free, no signup to start.

$ curl -fsSL https://vaibot.io/install.sh | sh